The Essential Eight — a plain-language guide for medical practices
4 July 2026 · 7 min read
The Essential Eight is a set of cybersecurity strategies published by the Australian Cyber Security Centre (ACSC) — the government agency responsible for national cybersecurity. It's not a vendor product, a certification, or a compliance framework you pay to join. It's a practical list of eight technical controls that, if implemented, would prevent the vast majority of cyberattacks that affect Australian organisations.
The ACSC developed it by analysing real attacks against Australian businesses and identifying which defences would have stopped them. The result is a prioritised, evidence-based list — not theoretical best practice, but proven controls.
Why medical practices need to pay attention
Healthcare is the most targeted sector for ransomware in Australia. Clinical records fetch thousands of dollars on dark web markets. Medicare portals, My Health Record, and online banking access mean a compromised GP workstation can be monetised immediately.
RACGP Standards 5th Edition requires practices to demonstrate reasonable information security measures. While the RACGP doesn't explicitly mandate Essential Eight compliance, auditors increasingly reference it as the benchmark for what "reasonable" looks like.
Cyber insurance premiums are also rising sharply for practices that can't demonstrate basic controls — and some insurers are declining to renew policies for practices that haven't implemented multi-factor authentication.
The eight controls, explained for a clinic
The ACSC rates each control at four maturity levels (0–3). Level one is the appropriate starting point for most small practices.
1. Application control
Prevent software from running unless it has been approved. In a clinic context, this means workstations only run your PMS, Microsoft Office, and a handful of known applications — not random downloads or scripts.
Why it matters: A staff member clicking a malicious link can't install ransomware if the operating system won't run unapproved executables.
2. Patch applications
Keep browsers, Office, Adobe Reader, and other applications updated. Most successful attacks exploit vulnerabilities that have already been patched — attackers rely on organisations taking months to apply updates.
Why it matters: An unpatched Chrome or Edge browser is one of the most common ransomware entry points.
3. Configure Microsoft Office macro settings
Disable macros in Office documents by default. Malicious macros embedded in Word or Excel attachments are a primary delivery mechanism for malware, particularly in healthcare.
Why it matters: A "pathology result" or "referral letter" sent as a Word document with an embedded macro is a real and common attack vector against medical practices.
4. User application hardening
Harden browsers and other user-facing applications — disable deprecated technologies, configure safe browser settings, and block access to high-risk web categories.
Why it matters: Clinical staff use browsers constantly for My Health Record, Medicare, and prescribing tools. A compromised browser session is a direct path to sensitive systems.
5. Restrict administrative privileges
Staff should not have administrator accounts on clinical workstations. IT admin access should be in separate accounts, used only when needed, and logged.
Why it matters: If a staff member's account is compromised, restricted privileges limit what the attacker can do. Ransomware run under a standard user account causes far less damage than ransomware run as an administrator.
6. Patch operating systems
Keep Windows updated. Unpatched Windows vulnerabilities are routinely exploited in ransomware attacks — particularly network-level vulnerabilities that can spread from one workstation to every machine on your network within minutes.
Why it matters: The WannaCry outbreak in 2017 affected hospitals globally because they were running unpatched Windows. This class of risk hasn't gone away.
7. Multi-factor authentication (MFA)
Require a second form of verification — typically a phone prompt or time-based code — for email, Medicare Online, My Health Record, remote access, and cloud services.
Why it matters: Stolen passwords are worthless to an attacker if MFA is enabled. This is the single highest-impact control for most practices, and one of the fastest to implement.
8. Regular backups
Maintain offline or immutable backups of all clinical data, tested regularly. Ransomware specifically targets backup systems — your backup must be isolated from your main network.
Why it matters: If ransomware encrypts your clinical records, a current backup is the difference between a bad day and a catastrophic one. A backup to an always-connected network drive is not a sufficient safeguard.
The three to prioritise first
If your practice hasn't started yet, focus here:
MFA first. Email, Medicare, and My Health Record are the highest-risk access points. Most MFA implementations take a few hours and don't disrupt clinical workflows once set up.
Backups second. Verify your backup is running, recent, and isolated. Test a restore at least once a year. A backup you have never tested is a backup you cannot trust.
Patch operating systems third. Enable automatic Windows updates on all workstations and servers. This closes the door on a large proportion of known attack vectors.
Common questions
Does RACGP require Essential Eight compliance?
Not explicitly — but RACGP Standards 5th Edition requires demonstrable information security practices, and Essential Eight is what auditors use as the reference standard. Implementing it puts you in a strong position for accreditation.
We're a small practice — does this apply to us?
Yes. Small practices are specifically targeted because attackers assume their defences are weaker. The controls scale to any practice size, and starting with MFA and patching costs very little.
How long does it take to implement?
A basic level one implementation across a five-workstation practice typically takes one to two days of IT work. Some controls (like configuring Windows Update policies) take minutes. Others (like application control) require more careful planning to avoid disrupting clinical workflows.
Getting to Essential Eight level one is achievable for most practices within a month. If you'd like an honest assessment of where your practice currently stands, a free IT health check will tell you exactly what's in place and what's missing — with no obligation and no sales pitch.
Not sure where your practice stands?
A free 30-minute discovery call will tell you exactly what's working, what isn't, and what to prioritise first.
Book a free discovery call